For some organizations with many distributed remote offices (branches, or retail outlets, such as retail chains or F&B companies), the remote networks are usually connected back to the HQ network via layer 3 IP networks, either through the public Internet, MPLS, or private leased-line, etc. But sometimes it may be desirable to connect remote sites “seamlessly” as if the sites are directly connected via an Ethernet cable and sit in the same layer-2 Ethernet network (eg. emulated Metro-E backbone network).
There are a few options to achieve such objectives.
- Some service providers offers Metro-Ethernet service, which can be expensive.
- Another option is to use L2TPv3 tunneling to connect remote sites over Layer3 IP networks (eg. public Internet). This can be a alternative method and very cost-effective. mbox products support such feature (see more details here).
- However, L2TPv3 is a site-to-site tunnel that requires both end points to have static IP addresses, which may not always be feasible. For example, many small remote outlets typically subscribe for cheaper dynamic Internet lines, and they may even connect over mobile backhaul (3G|4G|5G/LTE), or a combination of both for redundancy. In such scenarios, running “Ethernet over SSLVPN” will offer flexibility, using HSA/UA together with CMG across any type of ISP networks.
To achieve “Ethernet over SSLVPN“, we will use a few built-in features from mbox CMG and HSA | UA product families:
- SSLVPN, allows remote sites to connect back to HQ using either static or dynamic IP lines (or even from behind a firewall). See more details.
- Multi-WAN, to provide redundancy for ISP links. Especially HSA-500-L2 comes with dual LTE support, and we can make use of Multi-WAN for bonding and auto-failover. See more on Multi-WAN, and learn how to configure Multi-WAN on HSA here.
- Ethernet bridging, to bridge SSLVPN tap tunnels with CMG & HSA/UA LAN interfaces, so the layer2 Ethernet networks are extended across IP SSLVPN tunnels as if they’re connected via an Ethernet cable. See more on Ethernet bridging.
In this section, we’re going to use CMG and HSA/UA to demonstrate this feature.
To configure a few key points to NOTE:
1. SSLVPN must run on tap mode (layer 2 tunnel).
2. Only one network (or one VLAN) per VPN instance is supported. Each VPN instance/tab bridges with one Ethernet segment.
3. If you need to support multiple VLANs, eg. multiple Ethernet segments across IP, you can run multiple instances of SSLVPN on both CMG and HSA, with each tap (instance of VPN) bridged to its respective VLAN. Alternatively, you can use the L2TPv3 tunnel (one tunnel trunking for multiple VLANs).
4. On CMG, assign tap and eth1 (LAN) in the same bridge group.
5. On HSA/UA, assign tap interface to br-lan (br-eth1) bridge.
6. (optional) Assign VPN tunnel pool to tap interfaces. It’s not necessary to assign IP addresses to tap interfaces, since the tap interfaces are like virtual “Ethernet” cables. But optionally you may want to do that so that you can ping the tap interfaces between HSA/UA, and CMG for connectivity tests only.
7. (optional) Configure Multi-WAN on HSA/UA for link redundancy.